stronghold - Easily configure macOS security settings from the terminal.

  •        11

stronghold is the easiest way to securely configure your Mac. Designed for MacOS Sierra and High Sierra. Previously fortify.



Related Projects

Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA

  •    Go

Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

Docker-Secure-Deployment-Guidelines - Deployment checklist for securely deploying Docker


Within today’s growing cloud-based IT market, there is a strong demand for virtualisation technologies. Unfortunately most virtualisation solutions are not flexible enough to meet developer requirements and the overhead implied by the use of full virtualisation solutions becomes a burden on the scalability of the infrastructure. Docker reduces that overhead by allowing developers and system administrators to seamlessly deploy containers for applications and services required for business operations. However, because Docker leverages the same kernel as the host system to reduce the need for resources, containers can be exposed to significant security risks if not adequately configured. The following itemised list suggests hardening actions that can be undertaken to improve the security posture of the containers within their respective environment. It should be noted that proposed solutions only apply to deployment of Linux Docker containers on Linux-based hosts, using the most recent release of Docker at the time of this writing (1.4.0, commit 4595d4f, dating 11/12/14). Part of the content below is based on publications from Jérôme Petazzoni [1] and Daniel J Walsh [2]. This document aims at adding on to their recommendations and how they can specifically be implemented within Docker. Note: Most of suggested command line options can be stored and used in a similar manner inside a Dockerfile for automated image building. Docker 1.3 now supports cryptographic signatures [3] to ascertain the origin and integrity of official repository images. This feature is however still a work in progress as Docker will issue a warning but not prevent the image from actually running. Furthermore, it does not apply to non-official images. In general, ensure that images are only retrieved from trusted repositories and that the --insecure-registry=[] command line option is never used.

awesome-windows-domain-hardening - A curated list of awesome Security Hardening techniques for Windows


A curated list of awesome Security Hardening techniques for Windows. This document summarizes the information related to Pyrotek and Harmj0y's DerbyCon talk called "111 Attacking EvilCorp Anatomy of a Corporate Hack". Video and slides are available below.

hardening - DevSec Examples

  •    Ruby

The Hardening Framework combines DevOps with Security. It implements hardening for Puppet, Chef and Ansible. One of the main goals for the Hardening Framework it to provide security as a plug-in mechanism. All modules are implemented as overlay modules and work in conjunction with the corresponding open source module like apache or nginx. This enables you to drop in hardening for your staging and production environments and reuse existing developments.

hardening - Hardening Ubuntu. Systemd edition.

  •    Shell

A quick way to make a Ubuntu server a bit more secure. Tested on 17.10 Artful Aardvark, 18.04 Bionic Beaver and 18.10 Cosmic Cuttlefish (under development).

How-To-Secure-A-Linux-Server - An evolving how-to guide for securing a Linux server.


An evolving how-to guide for securing a Linux server that, hopefully, also teaches you a little about security and why it matters. This guides purpose is to teach you how to secure a Linux server.

vuls - Vulnerability scanner for Linux/FreeBSD, agentless, written in Go

  •    Go

For a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden. To avoid downtime in production environment, it is common for system administrator to choose not to use the automatic update option provided by package manager and to perform update manually. This leads to the following problems. Vuls is a tool created to solve the problems listed above. It has the following characteristics.

terraform-aws-secure-baseline - Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices

  •    HCL

A terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on CIS Amazon Web Services Foundations v1.4.0 and AWS Foundational Security Best Practices v1.0.0. See Benchmark Compliance to check which items in various benchmarks are covered.

chef-os-hardening - This chef cookbook provides numerous security-related configurations, providing all-round base protection

  •    Ruby

This cookbook provides numerous security-related configurations, providing all-round base protection. In the current implementation different components are located in the different recipes. See the available recipes or default.rb for possible component names.

terminal-notifier - Send User Notifications on macOS from the command-line.

  •    Objective-C

terminal-notifier is a command-line tool to send macOS User Notifications, which are available on macOS 10.10 and higher. alerter features were merged in terminal-notifier 1.7. This led to some issues and even more issues in the 1.8 release. We decided with Valère Jeantet to rollback this merge.

hardentools - Hardentools is a utility that disables a number of risky Windows features.

  •    Go

Hardentools is a collection of simple utilities designed to disable a number of "features" exposed by operating systems (Microsoft Windows, for now), and primary consumer applications. These features, commonly thought for enterprise customers, are generally useless to regular users and rather pose as dangers as they are very commonly abused by attackers to execute malicious code on a victim's computer. The intent of this tool is to simply reduce the attack surface by disabling the low-hanging fruit. Hardentools is intended for individuals at risk, who might want an extra level of security at the price of some usability. It is not intended for corporate environments. WARNING: This is just an experiment, it is not meant for public distribution yet. Also, this tool disables a number of features, including of Microsoft Office, Adobe Reader, and Windows, that might cause malfunctions to certain applications. Use this at your own risk.

EggShell - iOS/macOS/Linux Remote Administration Tool

  •    Objective-C

EggShell is a post exploitation surveillance tool written in Python. It gives you a command line session with extra functionality between you and a target machine. EggShell gives you the power and convenience of uploading/downloading files, tab completion, taking pictures, location tracking, shell command execution, persistence, escalating privileges, password retrieval, and much more. This is project is a proof of concept, intended for use on machines you own. Eggshell payloads are executed on the target machine. The payload first sends over instructions for getting and sending back device details to our server and then chooses the appropriate executable to establish a secure remote control session.

rattlesnakeos-stack - Build your own privacy and security focused Android OS in the cloud on a continuous basis with OTA updates

  •    Go

RattlesnakeOS is a privacy and security focused Android OS for Google Pixel phones. RattlesnakeOS was created initially as an alternative to CopperheadOS, a security hardened Android OS created by Daniel Micay, after it stopped being properly maintained back in June 2018. To be clear, this project is not attempting to add or recreate any of the security hardening features that were present in CopperheadOS. Instead, it is looking to fill a gap now that CopperheadOS is no longer available in its previous form, as there are no real alternatives that provide the same level of privacy and security.

reg - Docker registry v2 command line client and repo listing generator with security checks.

  •    Go

Docker registry v2 command line client and repo listing generator with security checks. For installation instructions from binaries please visit the Releases Page.

acme - :lock: acmetool, an automatic certificate acquisition tool for ACME (Let's Encrypt)

  •    Go

acmetool is an easy-to-use command line tool for automatically acquiring certificates from ACME servers (such as Let's Encrypt). Designed to flexibly integrate into your webserver setup to enable automatic verification. Unlike the official Let's Encrypt client, this doesn't modify your web server configuration.You can perform verifications using port 80 or 443 (if you don't yet have a server running on one of them); via webroot; by configuring your webserver to proxy requests for /.well-known/acme-challenge/ to a special port (402) which acmetool can listen on; or by configuring your webserver not to listen on port 80, and instead running acmetool's built in HTTPS redirector (and challenge responder) on port 80. This is useful if all you want to do with port 80 is redirect people to port 443.

user.js - user.js -- Firefox configuration hardening

  •    Javascript

A user.js configuration file for Mozilla Firefox designed to harden browser settings and make it more secure. Do note that these settings alter your browser behaviour quite a bit, so it is recommended to either create a completely new profile for Firefox or backup your existing profile directory before putting the user.js file in place.

ansible-os-hardening - This Ansible role provides numerous security-related configurations, providing all-round base protection

  •    Ruby

This role provides numerous security-related configurations, providing all-round base protection. It is intended to be compliant with the DevSec Linux Baseline. If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the os_ignore_users-variable. Otherwise inspec will fail. For more information, see issue #124.

menyoki - Screen{shot,cast} and perform ImageOps on the command line 🌱 🏞️

  •    Rust

menyoki is a screencast and screenshot utility that can also perform various image related operations such as making/splitting GIFs and modifying/analyzing image files. It aims to be a lightweight command line tool for either helping out on day-to-day life operations or complicated detail-centric issues. Originally it was designed to record/screenshot terminal windows but it can be tweaked easily for other purposes with command line arguments, environment variables, or a configuration file. menyoki requires a window system implementation of the supported platform for record and capture actions. Other features are expected to work normally since they don't require a window system running (or grabbing a window to operate on). For example, despite the macOS is not listed as a supported platform, menyoki still can perform image operations such as edit and analyze if it's compiled on macOS.

We have large collection of open source products. Follow the tags from Tag Cloud >>

Open source products are scattered around the web. Please provide information about the open source projects you own / you use. Add Projects.